US7796828B2 - Apparatus for filtering malicious multimedia data using sequential processing and method thereof - Google Patents

Apparatus for filtering malicious multimedia data using sequential processing and method thereof Download PDF

Info

Publication number
US7796828B2
US7796828B2 US11/633,989 US63398906A US7796828B2 US 7796828 B2 US7796828 B2 US 7796828B2 US 63398906 A US63398906 A US 63398906A US 7796828 B2 US7796828 B2 US 7796828B2
Authority
US
United States
Prior art keywords
maliciousness
class
moving pictures
determination
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11/633,989
Other versions
US20070233735A1 (en
Inventor
Seung Wan Han
Chi Yoon Jeong
SuGil Choi
Taek Yong Nam
Jong Soo Jang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electronics and Telecommunications Research Institute ETRI
Original Assignee
Electronics and Telecommunications Research Institute ETRI
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electronics and Telecommunications Research Institute ETRI filed Critical Electronics and Telecommunications Research Institute ETRI
Assigned to ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE reassignment ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTITUTE ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHOI, SUGIL, HAN, SEUNG WAN, JANG, JONG SOO, JEONG, CHI YOON, NAM, TAEK YONG
Publication of US20070233735A1 publication Critical patent/US20070233735A1/en
Application granted granted Critical
Publication of US7796828B2 publication Critical patent/US7796828B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to an apparatus for filtering a malicious multimedia service based on sequential data processing and a method thereof. More particularly, according to the apparatus and method, multimedia data existing in a variety of forms, including multimedia streaming transmitted online in real time, a multimedia file existing in a storage space and being reproduced, and a multimedia file existing in a storage space, is sequentially input, and a maliciousness class ratio is calculated by using a maliciousness class classification model trained in advance. Then, if the accumulated value of the ratio is equal to or greater than a predetermined class, it is determined that the multimedia data is the maliciousness class. If the accumulated value is equal to or less than the minimum threshold of the predetermined class, it is determined that the multimedia data is another class. If the accumulated value is between the maximum threshold value and the minimum threshold value, an input of next data is received and a maliciousness class ratio is calculated. Then, an accumulated value is again calculated and a maliciousness class is determined in the same manner.
  • real-time multimedia services such as audio on demand (AOD), video on demand (VOD), e-learning, and online-media
  • AOD audio on demand
  • VOD video on demand
  • non-real-time multimedia services in which multimedia data is received though P2P or other Internet service, stored in a PC, and reproduced
  • cyber education, online news, and online theaters provide positive effect in the social, economical, and academic aspects
  • malicious multimedia services operating with commercial purposes have bad influences on the Internet users who are not matured and have less judgment and self-control power.
  • the influences and side effects on the users are greater than the conventional text information services. Accordingly, a method of filtering the malicious multimedia information so that juveniles or users who don't want such services cannot be exposed to the malicious information is needed.
  • the mainstream methods were that by using additional text information, such as service names and explanations existing in the header of a service, rather than the contents of the services, the text information is compared to malicious word dictionaries for keyword matching. Since these methods are not determination methods based on the contents of malicious multimedia services, there are ways to easily avoid the maliciousness determination methods and these methods cannot be quite effective.
  • a method of receiving the entire data of a multimedia service and by extracting and analyzing a feature (for example, the ratio of the presence of a predetermined color) from the entire data, determining the maliciousness of the multimedia service has been introduced. Since all data of the multimedia service should be received and then analyzed according to this method, the method has a disadvantage that it requires a large storage space and much time to determine maliciousness. Also, since it uses a very simple feature in the determination of maliciousness, the performance of the classification is low. Furthermore, it has another problem that the determination is performed after the malicious multimedia is fully exposed to the user.
  • the present invention provides an apparatus and method by which in relation to multimedia data existing in a variety of forms, including multimedia streaming transmitted in real time, and a multimedia file existing in a storage space and being reproduced, by sequentially processing the data using a sequential data processing technique, malicious multimedia services are classified in real time and filtered.
  • a malicious multimedia filtering apparatus based on sequential data processing, the apparatus including: a maliciousness classification model training unit extracting a predetermined feature from at least one or more types of moving pictures and then, through machine training, generating a maliciousness determination model for each of at least one or more classes; a malicious data classification unit sequentially inputting input moving pictures for which maliciousness is required to be determined, to the maliciousness determination model, and determining the maliciousness class of the input moving pictures, based on a probability that data at a determination time of the input moving pictures belongs to a predetermined maliciousness class, and an accumulated maliciousness probability to a current time; and a malicious information filtering unit cutting off the service if the maliciousness class belongs to a predetermined reference maliciousness class.
  • FIG. 1 is a block diagram of a structure of an apparatus for filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention
  • FIG. 2 is a block diagram of a detailed structure of a maliciousness classification model training unit of FIG. 1 according to an embodiment of the present invention
  • FIG. 3A is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to an embodiment of the present invention
  • FIG. 3B is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to another embodiment of the present invention.
  • FIG. 3C is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to another embodiment of the present invention.
  • FIG. 4 is a flowchart of a method of filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention
  • FIG. 5 is a detailed flowchart of an operation for determining whether or not moving pictures belong to a maliciousness class of FIG. 4 according to an embodiment of the present invention
  • FIG. 6A illustrates a result of providing a service with filtering malicious moving pictures according to an embodiment of the present invention.
  • FIG. 6B illustrates a result of providing a service with filtering malicious moving pictures according to another embodiment of the present invention.
  • FIG. 1 is a block diagram of a structure of an apparatus for filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention.
  • FIG. 2 is a block diagram of a detailed structure of a maliciousness classification model training unit 120 of FIG. 1
  • FIGS. 3A through 3C are block diagrams of a variety of detailed structures of a malicious data classification unit 120 of FIG. 1 .
  • FIG. 4 is a flowchart of a method of filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention
  • FIG. 5 is a detailed flowchart of an operation for determining whether or not moving pictures belong to a maliciousness class of FIG. 4 according to an embodiment of the present invention.
  • FIGS. 6A and 6B illustrate results of providing services with filtering malicious moving pictures according to an embodiment of the present invention.
  • the apparatus includes a maliciousness classification model training unit 110 , a malicious data classification unit 120 , and a malicious information filtering unit 130 .
  • the maliciousness classification model training unit 110 receives an input of multimedia data whose maliciousness degree is known in advance, extracts a feature with which a maliciousness class can be classified, and generates a malicious information classification model through machine training in operation S 410 .
  • the maliciousness data classification unit 120 calculates the maliciousness class probability of data, by using the malicious information classification model generated in the maliciousness classification model training unit 110 in operation S 420 .
  • the malicious information filtering unit 130 cuts off a service that is classified as a maliciousness class, and continues to provide services that are not classified as a maliciousness class.
  • the maliciousness classification model training unit 110 is divided into a compressed domain unit 210 generating a compressed domain maliciousness classification model (a first determination model) when sample data (training moving pictures) is compressed, and a non-compressed domain unit 220 generating a non-compressed domain maliciousness classification model (a second determination model).
  • a first feature extraction unit 211 extracts a feature with which the class of malicious data in the sample data can be classified.
  • a first machine training unit 213 receives the input of the feature and performs machine training.
  • a first model generation unit 215 receives the input of the result of the machine training and generates and outputs the first determination model.
  • a decompression unit 221 decodes sample data to decompress the data, and outputs the result.
  • a second feature extraction unit 223 extracts a feature with which the class of malicious data in the decompressed sample data can be classified.
  • a second machine training unit 225 receives the input of this feature and performs machine training.
  • a second model training unit 227 receives the input of the result of the machine training and generates and outputs the second determination model. The process here is performed in operation S 410 .
  • the malicious data classification unit 120 sequentially receives moving pictures that require maliciousness determinations in operation S 420 .
  • a probability ratio that data at a predetermined time for which determination is performed is included in a predetermined maliciousness class and an accumulated probability ratio are calculated so that it can be determined whether or not the data is malicious in operation S 430 .
  • FIG. 3A shows a case where a maliciousness classification model in a compressed domain (hereinafter referred to as a ‘first determination model’) is used and
  • FIG. 3B shows a case where a maliciousness classification model in a non-compressed domain (hereinafter referred to as a ‘second determination model’) is used.
  • FIG. 3C shows a case where both of the models are used.
  • a first input unit 311 receives the input moving pictures sequentially, and transfers data items one by one to a compressed domain feature extraction unit 313 .
  • the compressed domain feature extraction unit 313 extracts the feature of the data in operation S 505 , and transfers the feature to a first maliciousness determination unit 315 .
  • the first maliciousness determination unit 313 calculates a maliciousness class probability ratio by using the first determination model in operation S 507 .
  • a first accumulated maliciousness determination unit 317 finally determines the maliciousness class of the input moving pictures by considering the maliciousness class probability ratio calculated in the first maliciousness determination unit 313 and a maliciousness class ratio of data items previous to the determination time in operations S 508 through S 513 .
  • a malicious information filtering unit 130 provides the multimedia service to users if the input moving pictures are determined to be included in a harmless class.
  • the determination process is finished, and when only part of the input moving pictures includes a malicious part and the service of the input moving pictures is selectively cut off, the above process is repeatedly performed in operation S 515 .
  • a decompression unit 323 is further disposed and a process of decompressing data is required in operation S 503 .
  • a second input unit 321 transfers the input moving pictures to the decompression unit 323 .
  • the decompression unit 323 decodes the input moving pictures and sequentially transfers the result to a non-compressed domain feature extraction unit 325 .
  • the non-compressed domain feature extraction unit 325 extracts the feature of the data in operation S 505 , and transfers the feature to a second maliciousness determination unit 327 .
  • the second maliciousness determination unit 327 calculates a maliciousness class probability ratio by using the second determination model in operation S 507 .
  • a second accumulated maliciousness determination unit 329 finally determines the maliciousness class of the input moving pictures by considering the maliciousness class probability ratio calculated in the second maliciousness determination unit 327 and a maliciousness class ratio of data items previous to the determination time in operations S 508 through S 513 .
  • the malicious information filtering unit 130 provides the multimedia service to users if the input moving pictures are determined to be included in a harmless class. When only part of the input moving pictures includes a malicious part and the service should be cut off entirely in that case, the determination process is finished, and when only part of the input moving pictures includes a malicious part and the service of the input moving pictures is selectively cut off, the above process is repeatedly performed in operation S 515 .
  • the malicious data classification unit 120 sequentially receives data from the multimedia service (input moving pictures) through the first input unit 311 . If the input unit 311 transfers a t-th data item (y t ) to the compressed domain feature extraction unit 313 , the compressed domain feature extraction unit 313 extracts t-th compressed data feature F t from the data (y t ) in operation S 505 .
  • the first maliciousness determination unit 315 calculates a probability P i (y t ) that the t-th compressed data item is maliciousness class i, and a probability P n (y t ) that the t-th compressed data item is not maliciousness class i, by using the first determination model with the t-th compressed data feature F t , and calculates a probability ratio S it in relation to class i for the i-th compressed data item as the following equation 2:
  • the first accumulated maliciousness determination unit 317 calculates the accumulated probability ratio S i,1:t in relation to the maliciousness class i to the t-th compressed data item according to the following equation 3:
  • the process here is performed in operation S 507 .
  • the first accumulated maliciousness determination unit 317 it is determined whether or not the accumulated probability ratio S i,1:t is greater than a maximum threshold (b i ) for class i in operation S 508 .
  • the accumulated probability ratio S i,1:t is greater, it is determined that the i-th data item is class i in operation S 509 . If the accumulated probability ratio S i,1:t is less than the maximum threshold (b i ), it is determined whether or not the accumulated probability ratio S i,1:t is less than a minimum threshold (a i ) in operation S 511 . If the accumulated probability ratio S i,1:t is less than the minimum threshold (a i ), it is determined that the i-th data item is not class i in operation S 513 .
  • the accumulated probability ratio S i,1:t is greater than the minimum threshold (a i )
  • the accumulated probability ratio S i,1:t is between the maximum threshold and the minimum threshold of class i. Accordingly, a (t+1)-th data item is input and the process described above is repeated in operation S 515 .
  • the decompression unit 323 decodes the compressed data and outputs the result in operation S 503 .
  • the non-compressed domain feature extraction unit 325 receives the input of the decompressed data (x t ), and extracts the t-th compressed data feature (U t ) in operation S 505 .
  • the second maliciousness determination unit 327 calculates a probability P i (x t ) that the t-th compressed data item is maliciousness class i, and a probability P n (x t ) that the t-th compressed data item is not maliciousness class i, by using the second determination model with the t-th compressed data feature U t , and calculates a probability ratio S it in relation to class i for the i-th compressed data item as the following equation 6:
  • the second accumulated maliciousness determination unit 329 calculates the accumulated probability ratio S i,1:t in relation to the maliciousness class i to the t-th compressed data item according to the following equation 7:
  • the process here is performed in operation S 507 .
  • the second accumulated maliciousness determination unit 329 it is determined whether or not the accumulated probability ratio S i,1:t is greater than a maximum threshold (b i ) for class i in operation S 508 . If the accumulated probability ratio S i,1:t is greater, it is determined that the i-th data item is class i in operation S 509 . If the accumulated probability ratio S i,1:t is less than the maximum threshold (b i ), it is determined whether or not the accumulated probability ratio S i,1:t is less than a minimum threshold (a i ) in operation S 511 .
  • the accumulated probability ratio S i,1:t is less than the minimum threshold (a i )
  • the accumulated probability ratio S i,1:t is greater than the minimum threshold (a i )
  • the accumulated probability ratio S i,1:t is between the maximum threshold and the minimum threshold of class i. Accordingly, a (t+1)-th data item is input and the process described above is repeated in operation S 515 .
  • FIG. 3C shows another detailed structure of the malicious data classification unit 120 of FIG. 1 .
  • the operations in the compressed domain feature extraction unit 333 , the first maliciousness determination unit 335 , and the first accumulated maliciousness determination unit 347 are the same as those in FIG. 3A
  • the operations in the decompression unit 341 , the non-compressed domain feature extraction unit 343 , and the second accumulated maliciousness determination unit 349 are the same as those in FIG. 3B .
  • the operation of the input unit 311 is also the same. Accordingly, those explanations will be omitted here.
  • a unified accumulated maliciousness determination unit 351 finally determines the maliciousness class of the multimedia service, by unifying the maliciousness class determination results in the compressed domain and the non-compressed domain.
  • FIGS. 6A and 6B show a method of filtering malicious moving pictures by the malicious information filtering unit 130 .
  • the service since the accumulated maliciousness class probability ratio is less than the maximum threshold of maliciousness class i before determination time t 1 , the service is provided. However, immediately after the time t 1 , the accumulated ratio exceeds the maximum threshold and the service is cut off. Again however, since the accumulated maliciousness class probability ratio is less than maliciousness class i at determination time t 2 , the service is resumed.
  • the characteristics of the present invention includes that features are extracted from compressed data and used in order to enhance the speed and performance of classifying malicious multimedia service classes.
  • the maliciousness class is not determined only by using data at a predetermined time, but is determined by information correlating past data and data at a predetermined time, and when the maliciousness class of data is determined, a machine-training-based maliciousness class classification model is used. Also, by sequentially processing data, the present invention is made to be appropriate to filtering both real-time and non-real time malicious multimedia service.
  • the method of filtering malicious multimedia using sequential data processing can also be embodied as computer readable codes on a computer readable recording medium.
  • the computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet).
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
  • the font ROM data structure according to the present invention can be implemented as computer readable codes on a recording medium such as ROM, RAM, CD-ROMs, magnetic tapes, floppy disks, flash memory, and optical data storage devices.
  • a recording medium such as ROM, RAM, CD-ROMs, magnetic tapes, floppy disks, flash memory, and optical data storage devices.
  • the method and apparatus for filtering malicious multimedia service using sequential data processing of the present invention as described above, maliciousness classes of multimedia data are quickly and accurately classified through the sequential data processing technique. Accordingly, the method and apparatus can be usefully applied to services of examining malicious multimedia existing in a storage space, examining maliciousness of multimedia data being reproduced, and examining maliciousness of real-time streaming services.
  • examination of the maliciousness class of a multimedia file existing in a storage space can be performed more quickly than the conventional method of determining maliciousness based on entire data.
  • multimedia data that is partially malicious only the malicious part can be selectively extracted or cut off.
  • a feature with which a maliciousness class can be determined can be extracted from a compressed domain and therefore the feature extraction speed is fast.
  • a method based on a rule such as presence of a predetermined color or a ratio, is not used, but a maliciousness class classification model based on machine training is used such that the accuracy and speed of the maliciousness class classification of data are high.
  • the conventional classification depending on data at a predetermined time is not used, but correlated information between past accumulated data and data at a predetermined time is analysed and used and therefore the accuracy of classification is high.
  • both past information and data at the predetermined time can be utilized as bases for determination, without depending only on data at a predetermined time.
  • the determination performance can also be enhanced through analysis of the correlated information between continuous data items.
  • the maliciousness classification model that is a machine-training result in relation to high-level features extracted from data of a compressed domain or a non-compressed domain is used such that the performance of the maliciousness class classification is excellent.
  • a maliciousness class when a maliciousness class is classified by extracting the feature of data only from a compressed domain, malicious multimedia services can be classified much faster.
  • a maliciousness class is classified by extracting the feature of data from a non-compressed domain, the time taken for classification increases, but the accuracy can be increased much higher.
  • a maliciousness class can be classified by extracting the feature of data from both a compressed domain and a non-compressed domain according to selection by a user, and in this case, the performance of the classification is enhanced much.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Quality & Reliability (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
  • Information Transfer Between Computers (AREA)
  • Image Analysis (AREA)

Abstract

An apparatus for filtering malicious multimedia data using sequential processing and a method thereof are provided. The apparatus includes: a maliciousness classification model training unit extracting a predetermined feature from at least one or more types of moving pictures and then, through machine training, generating a maliciousness determination model for each of at least one or more classes; a malicious data classification unit sequentially inputting input moving pictures for which maliciousness is required to be determined, to the maliciousness determination model, and determining the maliciousness class of the input moving pictures, based on a probability that data at a determination time of the input moving pictures belongs to a predetermined maliciousness class, and an accumulated maliciousness probability to a current time; and a malicious information filtering unit cutting off service if the maliciousness class belongs to a predetermined reference maliciousness class.

Description

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS
This application claims the benefit of Korean Patent Application No. 10-2005-0119996, filed on Dec. 8, 2005, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to an apparatus for filtering a malicious multimedia service based on sequential data processing and a method thereof. More particularly, according to the apparatus and method, multimedia data existing in a variety of forms, including multimedia streaming transmitted online in real time, a multimedia file existing in a storage space and being reproduced, and a multimedia file existing in a storage space, is sequentially input, and a maliciousness class ratio is calculated by using a maliciousness class classification model trained in advance. Then, if the accumulated value of the ratio is equal to or greater than a predetermined class, it is determined that the multimedia data is the maliciousness class. If the accumulated value is equal to or less than the minimum threshold of the predetermined class, it is determined that the multimedia data is another class. If the accumulated value is between the maximum threshold value and the minimum threshold value, an input of next data is received and a maliciousness class ratio is calculated. Then, an accumulated value is again calculated and a maliciousness class is determined in the same manner.
2. Description of the Related Art
Thanks to the recent widespread Internet use and increase in the data transmission speed, real-time multimedia services, such as audio on demand (AOD), video on demand (VOD), e-learning, and online-media, and non-real-time multimedia services in which multimedia data is received though P2P or other Internet service, stored in a PC, and reproduced, have been increasing. Among these services, cyber education, online news, and online theaters provide positive effect in the social, economical, and academic aspects, but malicious multimedia services operating with commercial purposes have bad influences on the Internet users who are not matured and have less judgment and self-control power. In particular, in case of multimedia services, the influences and side effects on the users are greater than the conventional text information services. Accordingly, a method of filtering the malicious multimedia information so that juveniles or users who don't want such services cannot be exposed to the malicious information is needed.
Among the conventional methods of determining the maliciousness of multimedia services, the mainstream methods were that by using additional text information, such as service names and explanations existing in the header of a service, rather than the contents of the services, the text information is compared to malicious word dictionaries for keyword matching. Since these methods are not determination methods based on the contents of malicious multimedia services, there are ways to easily avoid the maliciousness determination methods and these methods cannot be quite effective.
In order to solve this problem, a method of receiving the entire data of a multimedia service and by extracting and analyzing a feature (for example, the ratio of the presence of a predetermined color) from the entire data, determining the maliciousness of the multimedia service, has been introduced. Since all data of the multimedia service should be received and then analyzed according to this method, the method has a disadvantage that it requires a large storage space and much time to determine maliciousness. Also, since it uses a very simple feature in the determination of maliciousness, the performance of the classification is low. Furthermore, it has another problem that the determination is performed after the malicious multimedia is fully exposed to the user.
To solve this problem, there is a method by which data is received in real time, and then, data items are processed one by one to determine the maliciousness and then filtered. However, this method has a low classification performance because a simple feature of data at an examination time is used for determining maliciousness. Furthermore, since it cannot apply the continuous features of data received to the time of examination, harmless data is mistaken as malicious data, or malicious data is mistaken as harmless data and then exposed to the users.
SUMMARY OF THE INVENTION
The present invention provides an apparatus and method by which in relation to multimedia data existing in a variety of forms, including multimedia streaming transmitted in real time, and a multimedia file existing in a storage space and being reproduced, by sequentially processing the data using a sequential data processing technique, malicious multimedia services are classified in real time and filtered.
According to an aspect of the present invention, there is provided a malicious multimedia filtering apparatus based on sequential data processing, the apparatus including: a maliciousness classification model training unit extracting a predetermined feature from at least one or more types of moving pictures and then, through machine training, generating a maliciousness determination model for each of at least one or more classes; a malicious data classification unit sequentially inputting input moving pictures for which maliciousness is required to be determined, to the maliciousness determination model, and determining the maliciousness class of the input moving pictures, based on a probability that data at a determination time of the input moving pictures belongs to a predetermined maliciousness class, and an accumulated maliciousness probability to a current time; and a malicious information filtering unit cutting off the service if the maliciousness class belongs to a predetermined reference maliciousness class.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
FIG. 1 is a block diagram of a structure of an apparatus for filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention;
FIG. 2 is a block diagram of a detailed structure of a maliciousness classification model training unit of FIG. 1 according to an embodiment of the present invention;
FIG. 3A is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to an embodiment of the present invention;
FIG. 3B is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to another embodiment of the present invention;
FIG. 3C is a block diagram of a detailed structure of a malicious data classification unit of FIG. 1 according to another embodiment of the present invention;
FIG. 4 is a flowchart of a method of filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention;
FIG. 5 is a detailed flowchart of an operation for determining whether or not moving pictures belong to a maliciousness class of FIG. 4 according to an embodiment of the present invention;
FIG. 6A illustrates a result of providing a service with filtering malicious moving pictures according to an embodiment of the present invention; and
FIG. 6B illustrates a result of providing a service with filtering malicious moving pictures according to another embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art.
FIG. 1 is a block diagram of a structure of an apparatus for filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention. FIG. 2 is a block diagram of a detailed structure of a maliciousness classification model training unit 120 of FIG. 1, and FIGS. 3A through 3C are block diagrams of a variety of detailed structures of a malicious data classification unit 120 of FIG. 1.
FIG. 4 is a flowchart of a method of filtering a malicious multimedia service based on sequential data processing according to an embodiment of the present invention, and FIG. 5 is a detailed flowchart of an operation for determining whether or not moving pictures belong to a maliciousness class of FIG. 4 according to an embodiment of the present invention. FIGS. 6A and 6B illustrate results of providing services with filtering malicious moving pictures according to an embodiment of the present invention.
First, referring to FIGS. 1 and 4, the apparatus and method according to an embodiment of the present invention will now be explained broadly. The apparatus includes a maliciousness classification model training unit 110, a malicious data classification unit 120, and a malicious information filtering unit 130. The maliciousness classification model training unit 110 receives an input of multimedia data whose maliciousness degree is known in advance, extracts a feature with which a maliciousness class can be classified, and generates a malicious information classification model through machine training in operation S410. The maliciousness data classification unit 120 calculates the maliciousness class probability of data, by using the malicious information classification model generated in the maliciousness classification model training unit 110 in operation S420. By using the maliciousness class probability of a data item measured at a predetermined time and a ratio calculated in relation to up to the previous data item, an accumulated maliciousness class ratio is calculated and the maliciousness class of the multimedia service is determined in operation S430. The malicious information filtering unit 130 cuts off a service that is classified as a maliciousness class, and continues to provide services that are not classified as a maliciousness class.
Referring to FIG. 2, the maliciousness classification model training unit 110 is divided into a compressed domain unit 210 generating a compressed domain maliciousness classification model (a first determination model) when sample data (training moving pictures) is compressed, and a non-compressed domain unit 220 generating a non-compressed domain maliciousness classification model (a second determination model). A first feature extraction unit 211 extracts a feature with which the class of malicious data in the sample data can be classified. A first machine training unit 213 receives the input of the feature and performs machine training. A first model generation unit 215 receives the input of the result of the machine training and generates and outputs the first determination model.
In the non-compressed domain unit 220, a decompression unit 221 decodes sample data to decompress the data, and outputs the result. A second feature extraction unit 223 extracts a feature with which the class of malicious data in the decompressed sample data can be classified. A second machine training unit 225 receives the input of this feature and performs machine training. A second model training unit 227 receives the input of the result of the machine training and generates and outputs the second determination model. The process here is performed in operation S410.
The malicious data classification unit 120 sequentially receives moving pictures that require maliciousness determinations in operation S420. By inserting the moving pictures in the first and second determination models, a probability ratio that data at a predetermined time for which determination is performed is included in a predetermined maliciousness class and an accumulated probability ratio are calculated so that it can be determined whether or not the data is malicious in operation S430. FIG. 3A shows a case where a maliciousness classification model in a compressed domain (hereinafter referred to as a ‘first determination model’) is used and FIG. 3B shows a case where a maliciousness classification model in a non-compressed domain (hereinafter referred to as a ‘second determination model’) is used. FIG. 3C shows a case where both of the models are used.
First, if it is determined whether or not input moving pictures that require determination of maliciousness are in a compressed domain in operation S501, if the maliciousness determination is in a non-compressed domain, the moving pictures are decompressed in operation 503, and if the maliciousness determination is in a compressed domain, the decompression operation is not needed. After the decompression, identical processes are performed for the moving pictures.
Referring to FIG. 3A, if a first determination model is used, a first input unit 311 receives the input moving pictures sequentially, and transfers data items one by one to a compressed domain feature extraction unit 313. The compressed domain feature extraction unit 313 extracts the feature of the data in operation S505, and transfers the feature to a first maliciousness determination unit 315. The first maliciousness determination unit 313 calculates a maliciousness class probability ratio by using the first determination model in operation S507. A first accumulated maliciousness determination unit 317 finally determines the maliciousness class of the input moving pictures by considering the maliciousness class probability ratio calculated in the first maliciousness determination unit 313 and a maliciousness class ratio of data items previous to the determination time in operations S508 through S513.
A malicious information filtering unit 130 provides the multimedia service to users if the input moving pictures are determined to be included in a harmless class. When only part of the input moving pictures includes a malicious part and the service should be cut off entirely in that case, the determination process is finished, and when only part of the input moving pictures includes a malicious part and the service of the input moving pictures is selectively cut off, the above process is repeatedly performed in operation S515.
Referring to FIG. 3B, a case where a second determination model is used will now be explained. Here, unlike FIG. 3A, a decompression unit 323 is further disposed and a process of decompressing data is required in operation S503. A second input unit 321 transfers the input moving pictures to the decompression unit 323. The decompression unit 323 decodes the input moving pictures and sequentially transfers the result to a non-compressed domain feature extraction unit 325. The non-compressed domain feature extraction unit 325 extracts the feature of the data in operation S505, and transfers the feature to a second maliciousness determination unit 327. The second maliciousness determination unit 327 calculates a maliciousness class probability ratio by using the second determination model in operation S507.
A second accumulated maliciousness determination unit 329 finally determines the maliciousness class of the input moving pictures by considering the maliciousness class probability ratio calculated in the second maliciousness determination unit 327 and a maliciousness class ratio of data items previous to the determination time in operations S508 through S513. The malicious information filtering unit 130 provides the multimedia service to users if the input moving pictures are determined to be included in a harmless class. When only part of the input moving pictures includes a malicious part and the service should be cut off entirely in that case, the determination process is finished, and when only part of the input moving pictures includes a malicious part and the service of the input moving pictures is selectively cut off, the above process is repeatedly performed in operation S515.
The method of determining maliciousness will now be explained in more detail. Referring to FIG. 3A, the malicious data classification unit 120 sequentially receives data from the multimedia service (input moving pictures) through the first input unit 311. If the input unit 311 transfers a t-th data item (yt) to the compressed domain feature extraction unit 313, the compressed domain feature extraction unit 313 extracts t-th compressed data feature Ft from the data (yt) in operation S505. The extracts t-th compressed data feature Ft has n elements as the following equation 1:
F t=(f t1 ,f t2 ,f t3 , . . . , f tn)  (1)
The first maliciousness determination unit 315 calculates a probability Pi(yt) that the t-th compressed data item is maliciousness class i, and a probability Pn(yt) that the t-th compressed data item is not maliciousness class i, by using the first determination model with the t-th compressed data feature Ft, and calculates a probability ratio Sit in relation to class i for the i-th compressed data item as the following equation 2:
S it = P i ( y t ) P n ( y t ) ( 2 )
By using the probability ratio Sit in relation to maliciousness class i or the i-th compressed data item, the first accumulated maliciousness determination unit 317 calculates the accumulated probability ratio Si,1:t in relation to the maliciousness class i to the t-th compressed data item according to the following equation 3:
S i , 1 : t = P i ( y 1 : t ) P n ( y 1 : t ) ( 3 )
The process here is performed in operation S507.
By using the accumulated probability ratio Si,1:t in relation to the maliciousness class i to the t-th compressed data item, the first accumulated maliciousness determination unit 317 determines a maliciousness class according to the following equation 4:
D=Ri, if Si,t<−ai where −ai<0
D≠Ri, if Si,t<bi where bi>0  (4)
In the first accumulated maliciousness determination unit 317, it is determined whether or not the accumulated probability ratio Si,1:t is greater than a maximum threshold (bi) for class i in operation S508.
If the accumulated probability ratio Si,1:t is greater, it is determined that the i-th data item is class i in operation S509. If the accumulated probability ratio Si,1:t is less than the maximum threshold (bi), it is determined whether or not the accumulated probability ratio Si,1:t is less than a minimum threshold (ai) in operation S511. If the accumulated probability ratio Si,1:t is less than the minimum threshold (ai), it is determined that the i-th data item is not class i in operation S513. If the accumulated probability ratio Si,1:t is greater than the minimum threshold (ai), the accumulated probability ratio Si,1:t is between the maximum threshold and the minimum threshold of class i. Accordingly, a (t+1)-th data item is input and the process described above is repeated in operation S515.
Referring to FIG. 3B, a process in the non-compressed domain will now be explained. If the second input unit 321 transfers a t-th data item (yt) to the decompression unit 323, the decompression unit 323 decodes the compressed data and outputs the result in operation S503. The non-compressed domain feature extraction unit 325 receives the input of the decompressed data (xt), and extracts the t-th compressed data feature (Ut) in operation S505.
The t-th decoded data feature (Ut) may be extracted from a variety of media, such as voice and images, and has n elements as the following equation 5:
U t=(u t1 ,u t2 ,u t3 , . . . , u tn)  (5)
The second maliciousness determination unit 327 calculates a probability Pi(xt) that the t-th compressed data item is maliciousness class i, and a probability Pn(xt) that the t-th compressed data item is not maliciousness class i, by using the second determination model with the t-th compressed data feature Ut, and calculates a probability ratio Sit in relation to class i for the i-th compressed data item as the following equation 6:
S it = P i ( x t ) P n ( x t ) ( 6 )
By using the probability ratio Sit in relation to maliciousness class i for the i-th compressed data item, the second accumulated maliciousness determination unit 329 calculates the accumulated probability ratio Si,1:t in relation to the maliciousness class i to the t-th compressed data item according to the following equation 7:
S i , 1 : t = P i ( x 1 : t ) P n ( x 1 : t ) ( 7 )
The process here is performed in operation S507.
By using the accumulated probability ratio Si,1:t in relation to the maliciousness class i to the t-th compressed data item, the second accumulated maliciousness determination unit 329 determines a maliciousness class according to the following equation 8:
D=Ri, if Si,t<−ai where −ai<0
D≠Ri, if Si,t<bi where bi>0  (8)
In the second accumulated maliciousness determination unit 329, it is determined whether or not the accumulated probability ratio Si,1:t is greater than a maximum threshold (bi) for class i in operation S508. If the accumulated probability ratio Si,1:t is greater, it is determined that the i-th data item is class i in operation S509. If the accumulated probability ratio Si,1:t is less than the maximum threshold (bi), it is determined whether or not the accumulated probability ratio Si,1:t is less than a minimum threshold (ai) in operation S511. If the accumulated probability ratio Si,1:t is less than the minimum threshold (ai), it is determined that the i-th data item is not class i in operation S513. If the accumulated probability ratio Si,1:t is greater than the minimum threshold (ai), the accumulated probability ratio Si,1:t is between the maximum threshold and the minimum threshold of class i. Accordingly, a (t+1)-th data item is input and the process described above is repeated in operation S515.
FIG. 3C shows another detailed structure of the malicious data classification unit 120 of FIG. 1. In the malicious data classification unit 120 of FIG. 3C, the operations in the compressed domain feature extraction unit 333, the first maliciousness determination unit 335, and the first accumulated maliciousness determination unit 347 are the same as those in FIG. 3A, and the operations in the decompression unit 341, the non-compressed domain feature extraction unit 343, and the second accumulated maliciousness determination unit 349 are the same as those in FIG. 3B. The operation of the input unit 311 is also the same. Accordingly, those explanations will be omitted here. However, a unified accumulated maliciousness determination unit 351 finally determines the maliciousness class of the multimedia service, by unifying the maliciousness class determination results in the compressed domain and the non-compressed domain.
FIGS. 6A and 6B show a method of filtering malicious moving pictures by the malicious information filtering unit 130.
First, referring to FIG. 6A, since the accumulated maliciousness class probability ratio before a determination time (t) is less than a maximum threshold with which data is determined to be class i, the service is provided, but after the determination time t, the accumulated ratio exceeds the maximum threshold and the service is cut off.
Meanwhile, referring to FIG. 6B, since the accumulated maliciousness class probability ratio is less than the maximum threshold of maliciousness class i before determination time t1, the service is provided. However, immediately after the time t1, the accumulated ratio exceeds the maximum threshold and the service is cut off. Again however, since the accumulated maliciousness class probability ratio is less than maliciousness class i at determination time t2, the service is resumed.
As described above, the characteristics of the present invention includes that features are extracted from compressed data and used in order to enhance the speed and performance of classifying malicious multimedia service classes. The maliciousness class is not determined only by using data at a predetermined time, but is determined by information correlating past data and data at a predetermined time, and when the maliciousness class of data is determined, a machine-training-based maliciousness class classification model is used. Also, by sequentially processing data, the present invention is made to be appropriate to filtering both real-time and non-real time malicious multimedia service.
The method of filtering malicious multimedia using sequential data processing according to the present invention can also be embodied as computer readable codes on a computer readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet). The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
Also, the font ROM data structure according to the present invention can be implemented as computer readable codes on a recording medium such as ROM, RAM, CD-ROMs, magnetic tapes, floppy disks, flash memory, and optical data storage devices.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the following claims. The preferred embodiments should be considered in descriptive sense only and not for purposes of limitation. Therefore, the scope of the invention is defined not by the detailed description of the invention but by the appended claims, and all differences within the scope will be construed as being included in the present invention.
According to the method and apparatus for filtering malicious multimedia service using sequential data processing of the present invention as described above, maliciousness classes of multimedia data are quickly and accurately classified through the sequential data processing technique. Accordingly, the method and apparatus can be usefully applied to services of examining malicious multimedia existing in a storage space, examining maliciousness of multimedia data being reproduced, and examining maliciousness of real-time streaming services.
Also, with the present invention, examination of the maliciousness class of a multimedia file existing in a storage space can be performed more quickly than the conventional method of determining maliciousness based on entire data. In case of multimedia data that is partially malicious, only the malicious part can be selectively extracted or cut off.
Furthermore, when the maliciousness of a multimedia service is determined, a feature with which a maliciousness class can be determined can be extracted from a compressed domain and therefore the feature extraction speed is fast. When the maliciousness class of data is classified, a method based on a rule, such as presence of a predetermined color or a ratio, is not used, but a maliciousness class classification model based on machine training is used such that the accuracy and speed of the maliciousness class classification of data are high.
Also, since the sequential data processing technique is used, it is appropriate to cutting off malicious multimedia services in which data is input sequentially in real time.
The conventional classification depending on data at a predetermined time is not used, but correlated information between past accumulated data and data at a predetermined time is analysed and used and therefore the accuracy of classification is high.
Also, since the accumulated value of resulting values obtained by sequentially processing data is used, both past information and data at the predetermined time can be utilized as bases for determination, without depending only on data at a predetermined time. The determination performance can also be enhanced through analysis of the correlated information between continuous data items.
When the maliciousness of data at a predetermined time is determined, unlike the conventional method using only simple information, such as the presence ratio of a predetermined color, the maliciousness classification model that is a machine-training result in relation to high-level features extracted from data of a compressed domain or a non-compressed domain is used such that the performance of the maliciousness class classification is excellent.
Finally, when a maliciousness class is classified by extracting the feature of data only from a compressed domain, malicious multimedia services can be classified much faster. When a maliciousness class is classified by extracting the feature of data from a non-compressed domain, the time taken for classification increases, but the accuracy can be increased much higher. Also, a maliciousness class can be classified by extracting the feature of data from both a compressed domain and a non-compressed domain according to selection by a user, and in this case, the performance of the classification is enhanced much.

Claims (12)

1. A malicious multimedia filtering apparatus based on sequential data processing, the apparatus comprising:
a maliciousness classification model training unit extracting a predetermined feature from at least one or more types of moving pictures and then, through machine training, generating a maliciousness determination model for each of at least one or more classes;
a malicious data classification unit sequentially inputting input moving pictures for which maliciousness is required to be determined, to the maliciousness determination model, and determining the maliciousness class of the input moving pictures, based on a probability that data at a determination time of the input moving pictures a probability that data at a determination time of the input moving pictures, and an accumulated maliciousness probability to a current time,
wherein the maliciousness class is determined based on the probability that data at the determination time of the input moving pictures and previous probabilities of previous data of the sequentially inputted moving pictures for belonging to the determined maliciousness class of at least one second time, and
where the second time is before the determination time of the sequentially inputted moving pictures and is within a time frame for generating accumulating maliciousness probabilities before the determination time; and
a malicious information filtering unit cutting off the service if the maliciousness class belongs to a predetermined reference maliciousness class.
2. The apparatus of claim 1, wherein the maliciousness classification model training unit comprises:
a compressed domain model training unit extracting the feature from compressed moving pictures whose maliciousness class is known, performing machine training, including a support vector machine (SVM), and generating a first determination model; and
a non-compressed domain model training unit extracting the feature from non-compressed moving pictures whose maliciousness class is known, performing machine training, including an SVM, and generating a second determination model.
3. The apparatus of claim 1, wherein the malicious data classification unit comprises:
an input unit receiving input moving pictures and sequentially outputting the input moving pictures;
an extraction unit extracting the feature from the input moving pictures sequentially being output, and outputting the feature;
a maliciousness determination unit inputting the feature to the maliciousness classification and calculating a maliciousness class probability ratio that the data of the input moving pictures at a predetermined determination time belongs to a predetermined maliciousness class; and
an accumulated maliciousness determination unit calculating an accumulated maliciousness probability ratio obtained by the accumulating maliciousness probabilities before the determination time, based on the maliciousness class probability ratio, and determining whether or not the input moving pictures belong to the maliciousness class.
4. The apparatus of claim 3, wherein the malicious data classification unit further comprises a decompression unit decoding the input moving pictures, if the input moving pictures are compressed, and then outputting the result to the extraction unit.
5. The apparatus of claim 3, wherein the maliciousness determination unit obtains the maliciousness class probability ratio from a ratio of a probability that the data of the input moving pictures at the determination time belongs to the maliciousness class to a probability that the data of the input moving pictures at the determination time do not belong to the maliciousness class.
6. The apparatus of claim 3, wherein if the maliciousness class probability ratio is greater than the maximum threshold of the maliciousness class, the accumulated maliciousness determination unit determines that the moving pictures belong to the maliciousness class; if the maliciousness class probability ratio is less than the minimum threshold of the maliciousness class, the accumulated maliciousness determination unit determines that the moving pictures do not belong to the maliciousness class; and if the maliciousness class probability ratio is between the maximum threshold and the minimum threshold of the maliciousness class, the accumulated maliciousness determination unit repeats the determination process for a next data item of the moving pictures.
7. The apparatus of claim 1, wherein if it is determined that the moving pictures belong to the maliciousness class, the malicious information filtering unit determines that the maliciousness class determination process is continuously performed while cutting off outputting data to an external apparatus.
8. A malicious multimedia filtering method based on sequential data processing, the method comprising:
extracting a predetermined feature from at least one or more types of moving pictures and then, through machine training, generating a maliciousness determination model for each of at least one or more classes;
sequentially receiving an input of input moving pictures for which maliciousness is required to be determined, and inserting the moving pictures to the maliciousness determination model;
based on a probability ratio that a data item at a determination time when maliciousness is determined through the inserting belongs to a predetermined maliciousness class and an accumulated probability ratio to the determination time, determining whether or not the data item belongs to the maliciousness class,
wherein the predetermined maliciousness class is determined based on the probability that data at the determination time of the received input moving pictures and previous probabilities of previous data of the sequentially received inputted moving pictures for belonging to the determined predetermined maliciousness class of at least one second time, and
where the second time is before the determination time of the sequentially received inputted moving pictures and is within a time frame for generating accumulating maliciousness probabilities before the determination time; and
cutting off the service if the maliciousness class belongs to a predetermined reference maliciousness class.
9. The method of claim 8, wherein in the extracting of the predetermined feature, and the generating of the maliciousness determination model, by performing machine training after extracting a predetermined feature from compressed moving pictures and non-compressed moving pictures, the maliciousness determination model for each maliciousness class is generated.
10. The method of claim 8, wherein the determining of whether or not the data item belongs to the maliciousness class comprises:
determining whether or not the input moving pictures are of a compressed domain;
if the determination result indicates that the input moving pictures are of a non-compressed domain, extracting a predetermined feature from the input moving pictures and if the determination result indicates that the input moving picture are of a compressed domain, decompressing the moving pictures and then extracting the feature; and
by inserting the feature to the maliciousness determination model, calculating a maliciousness probability ratio that is a ratio of a probability that the data item at a determination time belongs to a predetermined maliciousness class, to a probability that the data item at the determination time does not belong to a predetermined maliciousness class; and
determining a maliciousness class, by calculating the accumulated probability ratio to the determination time based on the maliciousness probability ratio.
11. The method of claim 10, wherein the determining of the maliciousness class comprises:
comparing the maliciousness class probability ratio with a maximum threshold of the maliciousness class; and
if the comparison result indicates that the maliciousness class probability ratio is greater than the maximum threshold of the maliciousness class, determining that the moving pictures belong to the maliciousness class, and
if the maliciousness class probability ratio is less than the minimum threshold of the maliciousness class, determining that the moving pictures do not belong to the maliciousness class, and if the maliciousness class probability ratio is between the maximum threshold and the minimum threshold of the maliciousness class,
performing again from the extracting of the feature for a data item of the input moving pictures at a next determination time.
12. The method of claim 8, wherein the cutting off of the service further comprises resuming the service if the maliciousness class of the input moving pictures that are input after stopping the service is less than the minimum threshold of the reference maliciousness class.
US11/633,989 2005-12-08 2006-12-05 Apparatus for filtering malicious multimedia data using sequential processing and method thereof Active 2029-06-16 US7796828B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2005-0119996 2005-12-08
KR1020050119996A KR100670815B1 (en) 2005-12-08 2005-12-08 Apparatus for filtering malicious multimedia data using sequential processing and method thereof

Publications (2)

Publication Number Publication Date
US20070233735A1 US20070233735A1 (en) 2007-10-04
US7796828B2 true US7796828B2 (en) 2010-09-14

Family

ID=38014090

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/633,989 Active 2029-06-16 US7796828B2 (en) 2005-12-08 2006-12-05 Apparatus for filtering malicious multimedia data using sequential processing and method thereof

Country Status (2)

Country Link
US (1) US7796828B2 (en)
KR (1) KR100670815B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120115447A1 (en) * 2010-11-04 2012-05-10 Electronics And Telecommunications Research Institute System and method for providing safety content service
US20140160228A1 (en) * 2012-12-10 2014-06-12 Electronics And Telecommunications Research Instit Apparatus and method for modulating images for videotelephony
US10977562B2 (en) 2017-08-07 2021-04-13 International Business Machines Corporation Filter for harmful training samples in active learning systems

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8327443B2 (en) * 2008-10-29 2012-12-04 Lockheed Martin Corporation MDL compress system and method for signature inference and masquerade intrusion detection
US8312542B2 (en) * 2008-10-29 2012-11-13 Lockheed Martin Corporation Network intrusion detection using MDL compress for deep packet inspection
KR20110129224A (en) * 2010-05-25 2011-12-01 (주)뮤레카 Computer terminal having integrated control module to block harmful object and blocking system thereof
EP2418600A1 (en) * 2010-08-11 2012-02-15 Thomson Licensing Malware protection scheme
US8726385B2 (en) 2011-10-05 2014-05-13 Mcafee, Inc. Distributed system and method for tracking and blocking malicious internet hosts
US9521156B2 (en) 2013-02-10 2016-12-13 Paypal, Inc. Method and product for providing a predictive security product and evaluating existing security products
US10152591B2 (en) 2013-02-10 2018-12-11 Paypal, Inc. Protecting against malware variants using reconstructed code of malware
WO2018045165A1 (en) * 2016-09-01 2018-03-08 Cylance Inc. Container file analysis using machine learning models
US10637874B2 (en) 2016-09-01 2020-04-28 Cylance Inc. Container file analysis using machine learning model
US10503901B2 (en) 2016-09-01 2019-12-10 Cylance Inc. Training a machine learning model for container file analysis
KR101711833B1 (en) 2017-01-22 2017-03-13 주식회사 이노솔루텍 Analyzing and blocking system of harmful multi-media contents
US10375090B2 (en) * 2017-03-27 2019-08-06 Cisco Technology, Inc. Machine learning-based traffic classification using compressed network telemetry data
KR102317398B1 (en) * 2019-12-06 2021-10-26 가톨릭대학교 산학협력단 Method and Device for Determining Rate of Media
CN111416997B (en) * 2020-03-31 2022-11-08 百度在线网络技术(北京)有限公司 Video playing method and device, electronic equipment and storage medium
KR102454230B1 (en) 2021-01-28 2022-10-14 김민석 Real-time harmfulness inspection apparatus and method for video content

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6115057A (en) * 1995-02-14 2000-09-05 Index Systems, Inc. Apparatus and method for allowing rating level control of the viewing of a program
US20020147782A1 (en) * 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
US20030121035A1 (en) * 2000-05-22 2003-06-26 Ro Yong Man Method and apparatus for protecting contents of pornography on internet
KR20040046537A (en) 2002-11-27 2004-06-05 엘지전자 주식회사 Method for harmfulness information interception of video on demand service
US20050108227A1 (en) * 1997-10-01 2005-05-19 Microsoft Corporation Method for scanning, analyzing and handling various kinds of digital information content
US20060031870A1 (en) * 2000-10-23 2006-02-09 Jarman Matthew T Apparatus, system, and method for filtering objectionable portions of a multimedia presentation
US20060068806A1 (en) * 2004-09-30 2006-03-30 Nam Taek Y Method and apparatus of selectively blocking harmful P2P traffic in network
US7383282B2 (en) * 2000-10-19 2008-06-03 Anthony David Whitehead Method and device for classifying internet objects and objects stored on computer-readable media

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3847006B2 (en) 1998-08-26 2006-11-15 富士通株式会社 Image display control device and recording medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6115057A (en) * 1995-02-14 2000-09-05 Index Systems, Inc. Apparatus and method for allowing rating level control of the viewing of a program
US20050108227A1 (en) * 1997-10-01 2005-05-19 Microsoft Corporation Method for scanning, analyzing and handling various kinds of digital information content
US20030121035A1 (en) * 2000-05-22 2003-06-26 Ro Yong Man Method and apparatus for protecting contents of pornography on internet
US7383282B2 (en) * 2000-10-19 2008-06-03 Anthony David Whitehead Method and device for classifying internet objects and objects stored on computer-readable media
US20060031870A1 (en) * 2000-10-23 2006-02-09 Jarman Matthew T Apparatus, system, and method for filtering objectionable portions of a multimedia presentation
US20020147782A1 (en) * 2001-03-30 2002-10-10 Koninklijke Philips Electronics N.V. System for parental control in video programs based on multimedia content information
KR20040046537A (en) 2002-11-27 2004-06-05 엘지전자 주식회사 Method for harmfulness information interception of video on demand service
US20060068806A1 (en) * 2004-09-30 2006-03-30 Nam Taek Y Method and apparatus of selectively blocking harmful P2P traffic in network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Zheng, et al. "Blocking objectionable images: Adult images and harmful symbols", IEEE, pp. 12231226, 2004. *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120115447A1 (en) * 2010-11-04 2012-05-10 Electronics And Telecommunications Research Institute System and method for providing safety content service
US20140160228A1 (en) * 2012-12-10 2014-06-12 Electronics And Telecommunications Research Instit Apparatus and method for modulating images for videotelephony
US9197851B2 (en) * 2012-12-10 2015-11-24 Electronics And Telecommunications Research Institute Apparatus and method for modulating images for videotelephony
US10977562B2 (en) 2017-08-07 2021-04-13 International Business Machines Corporation Filter for harmful training samples in active learning systems

Also Published As

Publication number Publication date
US20070233735A1 (en) 2007-10-04
KR100670815B1 (en) 2007-01-19

Similar Documents

Publication Publication Date Title
US7796828B2 (en) Apparatus for filtering malicious multimedia data using sequential processing and method thereof
US20190258660A1 (en) System and method for summarizing a multimedia content item
KR100707189B1 (en) Apparatus and method for detecting advertisment of moving-picture, and compter-readable storage storing compter program controlling the apparatus
CN107015961B (en) Text similarity comparison method
KR100687732B1 (en) Method for filtering malicious video using content-based multi-modal features and apparatus thereof
US20080281922A1 (en) Automatic generation of email previews and summaries
US10665267B2 (en) Correlation of recorded video presentations and associated slides
US7263660B2 (en) System and method for producing a video skim
CN110008378A (en) Corpus collection method, device, equipment and storage medium based on artificial intelligence
CN113450147B (en) Product matching method, device, equipment and storage medium based on decision tree
CN113392236A (en) Data classification method, computer equipment and readable storage medium
US11829875B2 (en) Information processing device, information processing method and computer readable storage medium
CN113038153B (en) Financial live broadcast violation detection method, device, equipment and readable storage medium
CN111435369B (en) Music recommendation method, device, terminal and storage medium
CN115359409B (en) Video splitting method and device, computer equipment and storage medium
US9268861B2 (en) Method and system for recommending relevant web content to second screen application users
US20070016576A1 (en) Method and apparatus for blocking objectionable multimedia information
CN116013299A (en) Multi-feature fusion video text generation method based on local semantic guidance
CN114880458A (en) Book recommendation information generation method, device, equipment and medium
CN113076932B (en) Method for training audio language identification model, video detection method and device thereof
CN109800326B (en) Video processing method, device, equipment and storage medium
CN111767259A (en) Content sharing method and device, readable medium and electronic equipment
CN114697762B (en) Processing method, processing device, terminal equipment and medium
CN114363664A (en) Method and device for generating video collection title
CN113778717A (en) Content sharing method, device, equipment and storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: ELECTRONICS AND TELECOMMUNICATIONS RESEARCH INSTIT

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HAN, SEUNG WAN;CHOI, SUGIL;NAM, TAEK YONG;AND OTHERS;REEL/FRAME:018691/0492

Effective date: 20061121

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FPAY Fee payment

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552)

Year of fee payment: 8

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2553); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 12